Use-After-Free Vulnerability in libcurl Affecting HTTP/2 Streaming
CVE-2026-10536

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-10536?

A use-after-free vulnerability occurs in libcurl that arises when an application configures an HTTP/2 stream-dependency tree using CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, followed by invoking curl_easy_reset() and subsequently terminating the handle with curl_easy_cleanup(). During the cleanup process, libcurl attempts to access an internal structure that has already been freed during the reset operation, which can potentially lead to unspecified unauthorized actions.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joshua Rogers (Aisle Research)
Stefan Eissing
.